The following abbreviations are herewith defined, at least some of which are referred to within the following description of the state-of-the-art and the present invention.    CPU Central Processing Unit    IEEE Institute of Electrical and Electronics Engineers    ITU International Telecommunication Union    LAN Local Area Network    L2 layer 2 (a reference to the OSI reference model for networks)    MAC Media Access Control    MAN Metropolitan Area Network    OSI Open Systems Interconnection (initiative)    VLAN Virtual Local Area Network    WAN Wide Area Network
Computers are often connected together through a network so that data may be exchanged between them and computing resources may be shared. Two computers may be directly connected, of course, but more typically a network is made formed of many interconnected nodes. Such networks are often classified as, for example, LANs, MANs, and WANs according to their size and function. A network may be connected with one or more other network. The network nodes, such as bridges, switches, or routers, are generally not data destinations themselves, but simply receive data and forward it toward its intended destination. This packet routing is typically done according to a set of standard protocols such as the Ethernet protocol described in a standard referred to as IEEE 802.3 and in various related protocols.
In a packet-switched network, the data in one computing device is may be divided into a great many discrete segments, often called packets, that are individually addressed and transmitted toward their destination. The packets may take different routes from origin to destination, but are provided with identifying information and sequentially numbered so that they may be reassembled in their proper order. The identifying information also includes the identity of the source and the intended destination of the packets.
The rules for packet routing according to Ethernet or similar standards are numerous, but one example will be described with reference to FIGS. 1 and 2 as background for describing the present invention.
FIG. 1 is a simplified schematic diagram illustrating selected components of a typical network 100. In network 100, there is shown a single server 110 and a single network node 101, which may for example be a switch or a router. Server 110 is in direct communication with node 101, a connection having been established between port 112 of server 110 and port 102 of node 101. Note that while a direct physical connection, such as a wire or optical fiber, is illustrated in FIG. 1, the presence of an intermediate device such as a repeater or hub is not precluded. In network 100, client 120 is in direct communication with node 101, with port 121 of client 120 connected to port 103 of node 101. Similarly, clients 130, 140, and 150 are also in direct communication, with ports 122, 123, and 124 being connected, respectively, to ports 104, 105, and 106 of node 101.
As might be expected, many actual networks include a larger number of interconnected nodes and enable data communication between many servers and clients. In addition, communication between each client and server, or between two or more peer devices, may actually travel through multiple network nodes before reaching its destination. In any case, the network node 101 is capable of receiving a data packet transmission from a source (or intermediate node) on one port, examining the packets to determine their intended destination, and forwarding the packets toward it. FIGS. 1 and 2 illustrate briefly how this is done in a typical network.
Each data packet will include header information indicating the address, for example the MAC address of the source and the intended destination, each address being associated with a unique hardware device. In an Ethernet network, a layer 2 (L2) hardware lookup table (not shown in FIG. 1) in node 101 is used to keep track of routing information associated with various addresses encountered by the node. In the example of FIG. 1 it is assumed that a L2 hardware lookup table of node 101 associates the client 120 with port 103 of node
As a result, when packets (as indicated by the arrows in FIG. 1) arrive on port 102 of node 101 and indicate that they are intended for delivery to client 120, then node 101 forwards the packets on port 103. Note that port 103 could be associated with client 120 even if port 121 of client 120 were not in direct communication with port 103, although that is not the case in the example of FIG. 1. Note also that when the packets from server 110 are received at node 101, an entry may be made in the L2 hardware lookup tables of node 101 associating server 110 with port 102. If and when packets are received in node 101 destined for server 110, they can be forwarded on port 102.
If network node 101 has not learned to associate a particular port with an intended destination, then the received packets are typically flooded on all ports (except the port on which they were received). FIG. 2 is the simplified schematic diagram of FIG. 1, illustrating the broadcasting, or flooding, of packets when the route to the intended recipient is unknown to the network node 101. In this example a failure in the direct communication link between port 103 of node 101 and port 121 of client 120 is indicated. In operation, the node 101 and client 120 regularly communicate with each other to confirm the integrity of this communication link. A failure to receive these regular communications in node 101 indicates that client device 120 is no longer available on port 103, and the entry associating them in the L2 hardware lookup table is removed.
In this case, when packets intended for client 120 are received at port 102 of node 101, they are flooded, or broadcast to all ports except the port 102 on which they were received. (In this example, they are also not sent on port 103, as a failure of that link has been perceived.) As illustrated in FIG. 2, this includes forwarding packets on ports 104, 105, and 106. As should be apparent, the packets will in this scenario not reach their intended destination, client 120, but they will be received at clients 130, 140, and 150. This raises a network security risk. While in most instances clients 130, 140, and 150 will simply discard then packets when they determine they are not the intended destination, a malicious recipient may instead process them to learn the information that was intended for client 120. The flooding, though which the packets will not reach their intended destination due to the link failure, also unnecessarily consumes network resources.
In some networks, the flooding of packets may be limited by instituting one or more VLANs, and associating only certain ports on node 101 with each VLAN. When packets received at node 101 include a VLAN identifier, if the destination address is not associated with a particular port on the L2 hardware lookup table, flooding is nevertheless limited to ports associated with the identified VLAN. While utilizing VLANs does reduce the security risk associated with flooding the packets to all ports, and the unnecessary consumption of network resources, it does not fully eliminate these concerns. Another solution, at least to the security concerns, is encrypting the packets that are sent from the server 110 to client 120. Again, however, this does not eliminate the security risk entirely. A malicious user with an adversary device that receives flooded packets may attempt to secure the keys needed for decryption.
Needed, then, is a manner of controlling the flooding of packets in packet-switched networks when the destination address of packets received at a network node cannot be associated with a particular port by the node at which they were received.